Closed
Bug 604495
Opened 14 years ago
Closed 14 years ago
Memory corruption in the GIF decoder destruction
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
mozilla2.0b7
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
References
Details
(Keywords: crash, regression)
Attachments
(1 file)
|
(deleted),
patch
|
joe
:
review+
|
Details | Diff | Splinter Review |
We use moz_xmalloc (which maps to je_malloc on jemalloc enabled builds) to allocate mGIFStruct.local_colormap, and then we free it using PR_FREEIF which maps to PRFree which in turn maps to stdlib's free. This means that we allocate memory from one heap and try to free it on another.
If we're lucky, this means that we're leaking. If we're not lucky, it means that we're crashing, or corrupting arbitrary memory, or worse.
|
Assignee | |
Comment 1•14 years ago
|
||
Attachment #483280 -
Flags: review?(joe)
|
|
Assignee | |
Comment 2•14 years ago
|
||
This should block 2.0, and also branches if we do the same thing there as well.
blocking2.0: --- → ?
|
|
Assignee | |
Comment 3•14 years ago
|
||
This is a regression from http://hg.mozilla.org/mozilla-central/rev/389e836517bc (bug 514033), so I guess it is not applicable to branches.
Blocks: 514033
Keywords: regression
|
||
Updated•14 years ago
|
Attachment #483280 -
Flags: review?(joe) → review+
|
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: [needs landing]
|
|
Assignee | |
Comment 4•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla2.0b8
|
||
Updated•14 years ago
|
Target Milestone: mozilla2.0b8 → mozilla2.0b7
You need to log in
before you can comment on or make changes to this bug.
Description
•